Intel is Stockpiling Legacy Hardware in a Secret Lab in Costa Rica
(Photo: Intel)Intel has been cranking out new software and hardware for as long as the company has existed, but it hasn’t maintained a central facility for dedicated security tests on its older hardware. That all changed in 2018, according to the Wall Street Journal, as the company began collecting as much “legacy” hardware as it could get its hands on, and then started squirreling it away in an undisclosed location in Costa Rica, The reason is simple: so they can test new software and hardware on older systems, to make sure there’s no security issues.
For example, let’s say Intel releases a new piece of software, or a driver, which happens regularly. Will there be any security issues running it on a Haswell CPU, circa 2013? Or Sandy Bridge, on a Windows 7 system? These are the types of scenarios the company realized it needed to be testing, as customers can take many years to upgrade to the latest version of a CPU or platform, and the company had to be sure it’s newest software didn’t allow security holes when deployed on legacy systems. Plus, nobody wants to be testing for security flaws on users’ systems “in the wild” or a corporate environment, where data loss could be a problem. This is the type of work that’s best done in a lab.
According to the Intel, planning first began in 2018, which allowed for the creation of the Long-Term Retention Lab, which went into operation in the second half of 2019. In its nascent stage, its stockpile of older hardware was so lacking the company had to turn to eBay to find some parts, such as Sandy Bridge CPUs. However, after ramping up, the 14,000 square foot warehouse now holds more than 3,000 items, including both software and hardware, going back about 10 years or so. Engineers working in the facility are able to assemble specific hardware and software combos for Intel employees to test remotely, anywhere in the world. Intel notes that a lot of the testing requests it receives are in response to flaws submitted by outside researchers who participate in the company’s bug bounty program. With a ticket in-hand for a suspected flaw, an engineer can grab an 8-year old motherboard and CPU off the shelf, install a specific BIOS and version of Windows on it, and try to duplicate the issue.
It’s not surprising that this initiative dates back to mid-2018. Meltdown and Spectre were disclosed in early 2018 and were a frequently discussed topic that year. A great deal of attention has been focused on speculative execution side channel attacks over the past four years. It seems likely that Intel’s effort to assemble this comprehensive security research facility was driven in part by a need for more robust testing in the wake of Meltdown and Spectre. The company issued patches for a wide range of hardware when Meltdown and Spectre were first disclosed, and it may have decided to codify those efforts into a more formal program. We’ve reached out to Intel on this point and will update this story when we hear back.
Update: According to an Intel spokesperson, Spectre and Meltdown contributed to the perception within Intel that this was an important project. They were not the sole factor, and some of the security initiatives that contributed to the Long Term Retention Lab date back a decade or more.
One interesting anecdote from the journal’s reporting is it sounds like Intel asked all of its current, and former, employees to pitch in with any hardware and knowledge/documentation they might have had lying around to assist with the project. It also sounds like a busy place to work, with one manager stating they receive 1,000 requests a month to create specific hardware and software configurations for remote security tests, and they also receive 50 new devices weekly.
Easily the most intriguing angle of this story is the fact that Intel won’t reveal the location of the facility, as Intel notes that access to the building is strictly controlled, with security cameras watching the antiquated hardware 24/7 as well. It sort of brings to mind a Jurassic Park scenario, with 20-foot tall electrified fences surrounding the “Sandy Bridge Compound.” Taking the analogy even further, we’re imagining an unnamed engineer stating for the record, “It’s 100 percent secure. This technology will never escape!”
All jokes aside, for software and hardware tinkers like ourselves this sounds like a dream job. A warm and affordable locale, important-sounding security badges and lanyards, and getting to build computers all-day. Where do we sign up?